In addition to bug fixes and enhancements, this release fixes the
following high-severity vulnerabilities:
+************************** vv NOTE WELL vv *****************************
+
+The vulnerabilities listed below can be significantly mitigated by
+following the BCP of putting
+
+ restrict default ... noquery
+
+in the ntp.conf file. With the exception of:
+
+ receive(): missing return on error
+ References: Sec 2670 / CVE-2014-9296 / VU#852879
+
+below (which is a limited-risk vulnerability), none of the recent
+vulnerabilities listed below can be exploited if the source IP is
+restricted from sending a 'query'-class packet by your ntp.conf file.
+
+************************** ^^ NOTE WELL ^^ *****************************
+
* Weak default key in config_auth().
References: [Sec 2665] / CVE-2014-9293 / VU#852879
entropy. This was sufficient back in the late 1990s when the
code was written. Not today.
- Mitigation: Upgrade to 4.2.7p11 or later.
+ Mitigation - any of:
+ - Upgrade to 4.2.7p11 or later.
+ - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta
of the Google Security Team.
cryptographic random number generator, either RAND_bytes from
OpenSSL, or arc4random().
- Mitigation: Upgrade to 4.2.7p230 or later.
+ Mitigation - any of:
+ - Upgrade to 4.2.7p230 or later.
+ - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
Credit: This vulnerability was discovered in ntp-4.2.6 by
Stephen Roettger of the Google Security Team.
buffer and potentially allow malicious code to be executed
with the privilege level of the ntpd process.
- Mitigation: Upgrade to 4.2.8, or later, or
- Disable Autokey Authentication by removing, or commenting out,
- all configuration directives beginning with the crypto keyword
- in your ntp.conf file.
+ Mitigation - any of:
+ - Upgrade to 4.2.8, or later, or
+ - Disable Autokey Authentication by removing, or commenting out,
+ all configuration directives beginning with the crypto keyword
+ in your ntp.conf file.
Credit: This vulnerability was discovered by Stephen Roettger of the
Google Security Team.
can overflow a stack buffer and potentially allow malicious
code to be executed with the privilege level of the ntpd process.
- Mitigation: Upgrade to 4.2.8, or later.
+ Mitigation - any of:
+ - Upgrade to 4.2.8, or later.
+ - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
Credit: This vulnerability was discovered by Stephen Roettger of the
Google Security Team.
can overflow a stack buffer and potentially allow malicious
code to be executed with the privilege level of the ntpd process.
- Mitigation: Upgrade to 4.2.8, or later.
+ Mitigation - any of:
+ - Upgrade to 4.2.8, or later.
+ - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
Credit: This vulnerability was discovered by Stephen Roettger of the
Google Security Team.
becomes a 5. If system integrity can be partially affected
via all three integrity metrics, the CVSS base score become 7.5.
- Mitigation:
- Upgrade to 4.2.8, or later,
- or Remove or comment out all configuration directives
- beginning with the crypto keyword in your ntp.conf file.
+ Mitigation - any of:
+ - Upgrade to 4.2.8, or later,
+ - Remove or comment out all configuration directives
+ beginning with the crypto keyword in your ntp.conf file.
Credit: This vulnerability was discovered by Stephen Roettger of the
Google Security Team.
projects / thirdparty / ntp.git / commitdiff
